Attachment 18071 Details for Bug 32600 – file.diff

[patch] file.diff

file.diff (text/plain), 4.86 KB, created by Dan Pelleg on 2001-12-08 12:50:00 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Dan Pelleg

Created: 2001-12-08 12:50:00 UTC

Size: 4.86 KB

patch

obsolete

>*** sys/netinet/ip_fw.c.orig	Sun Nov 18 18:29:23 2001
>--- sys/netinet/ip_fw.c	Mon Nov 26 07:03:08 2001
>***************
>*** 649,655 ****
>  	/* remove a refcount to the parent */				\
>  	if (q->dyn_type == DYN_LIMIT)					\
>  		q->parent->count--;					\
>! 	DEB(printf("-- unlink entry 0x%08x %d -> 0x%08x %d, %d left\n", \
>  		(q->id.src_ip), (q->id.src_port),			\
>  		(q->id.dst_ip), (q->id.dst_port), dyn_count-1 ); )	\
>  	if (prev != NULL)						\
>--- 649,656 ----
>  	/* remove a refcount to the parent */				\
>  	if (q->dyn_type == DYN_LIMIT)					\
>  		q->parent->count--;					\
>! 	DEB(printf("-- unlink entry %p 0x%08x %d -> 0x%08x %d, %d left\n", \
>! 		q,                                                      \
>  		(q->id.src_ip), (q->id.src_port),			\
>  		(q->id.dst_ip), (q->id.dst_port), dyn_count-1 ); )	\
>  	if (prev != NULL)						\
>***************
>*** 694,710 ****
>  	     * and possibly more in the future.
>  	     */
>  	    int zap = ( rule == NULL || rule == q->rule);
>! 	    if (zap)
>! 		zap = force || TIME_LEQ( q->expire , time_second );
>  	    /* do not zap parent in first pass, record we need a second pass */
>  	    if (q->dyn_type == DYN_LIMIT_PARENT) {
>  		max_pass = 1; /* we need a second pass */
>  		if (zap == 1 && (pass == 0 || q->count != 0) ) {
>  		    zap = 0 ;
>! 		    if (pass == 1) /* should not happen */
>! 			printf("OUCH! cannot remove rule, count %d\n",
>! 				q->count);
>  		}
>  	    }
>  	    if (zap) {
>  		UNLINK_DYN_RULE(prev, ipfw_dyn_v[i], q);
>--- 695,718 ----
>  	     * and possibly more in the future.
>  	     */
>  	    int zap = ( rule == NULL || rule == q->rule);
>! 
>  	    /* do not zap parent in first pass, record we need a second pass */
>  	    if (q->dyn_type == DYN_LIMIT_PARENT) {
>  		max_pass = 1; /* we need a second pass */
>  		if (zap == 1 && (pass == 0 || q->count != 0) ) {
>  			zap = 0 ;
>! 			if (force && pass == 1) { /* should not happen */
>! 				printf("OUCH! cannot remove rule %p 0x%08x %d -> 0x%08x %d, count %d, bucket %d\n",
>! 				 q,
>! 				 (q->id.src_ip), (q->id.src_port),
>! 				 (q->id.dst_ip), (q->id.dst_port),
>! 				 q->count,
>! 				 i);
>! 			}
>  		}
>+ 	    } else {
>+ 		if (zap)
>+ 			zap = force || TIME_LEQ( q->expire , time_second );
>  	    }
>  	    if (zap) {
>  		    UNLINK_DYN_RULE(prev, ipfw_dyn_v[i], q);
>***************
>*** 882,891 ****
>      r->next = ipfw_dyn_v[i] ;
>      ipfw_dyn_v[i] = r ;
>      dyn_count++ ;
>!     DEB(printf("-- add entry 0x%08x %d -> 0x%08x %d, total %d\n",
>         (r->id.src_ip), (r->id.src_port),
>         (r->id.dst_ip), (r->id.dst_port),
>!        dyn_count ); )
>      return r;
>  }
>  
>--- 890,901 ----
>      r->next = ipfw_dyn_v[i] ;
>      ipfw_dyn_v[i] = r ;
>      dyn_count++ ;
>!     DEB(printf("-- add entry %p 0x%08x %d -> 0x%08x %d, total %d, bucket %d\n",
>! 	r,
>  	(r->id.src_ip), (r->id.src_port),
>  	(r->id.dst_ip), (r->id.dst_port),
>! 	dyn_count,
>! 	i); )
>      return r;
>  }
>  
>***************
>*** 988,995 ****
>--- 998,1017 ----
>  	}
>  	if (parent->count >= conn_limit) {
>  	    EXPIRE_DYN_CHAIN(rule); /* try to expire some */
>+         /*
>+           The expiry might have removed the parent too.
>+           We lookup again, which will re-create if necessary.
>+         */
>+ 	    parent = lookup_dyn_parent(&id, rule);
>+ 	    if (parent == NULL) {
>+           printf("add parent failed\n");
>+           return 1;
>+         }
>  	    if (parent->count >= conn_limit) {
>+           if (last_log != time_second) {
>+             last_log = time_second ;
>              printf("drop session, too many entries\n");
>+           }
>  		return 1;
>  	    }
>  	}
>***************
>*** 1929,1934 ****
>--- 1951,1962 ----
>  			    bcopy(p, dst, sizeof *p);
>                              (int)dst->rule = p->rule->fw_number ;
>  			    /*
>+ 			     * we should really set the parent field
>+ 			     * to the corresponding parent in the new
>+ 			     * structure. For now, just set it to NULL.
>+ 			     */
>+ 			    dst->parent = NULL ;
>+ 			    /*
>  			     * store a non-null value in "next". The userland
>  			     * code will interpret a NULL here as a marker
>  			     * for the last dynamic rule.
>*** sbin/ipfw/ipfw.c.orig	Sun Nov 18 18:42:51 2001
>--- sbin/ipfw/ipfw.c	Sat Nov 24 12:18:27 2001
>***************
>*** 813,822 ****
>  		    (struct ipfw_dyn_rule *)&rules[num];
>  		struct in_addr a;
>  		struct protoent *pe;
>  
>              printf("## Dynamic rules:\n");
>              for (;; d++) {
>! 		if (d->expire == 0 && !do_expired) {
>  			if (d->next == NULL)
>  				break;
>  			continue;
>--- 813,830 ----
>  		    (struct ipfw_dyn_rule *)&rules[num];
>  		struct in_addr a;
>  		struct protoent *pe;
>+ 		int skip;
>  
>  		printf("## Dynamic rules:\n");
>  		for (;; d++) {
>! 			/* determine whether to skip this rule */
>! 			skip = !do_expired;
>! 			if( d->dyn_type == DYN_LIMIT_PARENT) {
>! 				skip = skip && d->count == 0;
>! 			} else {
>! 				skip = skip && d->expire == 0;                
>! 			}
>! 			if(skip) {
>  				if (d->next == NULL)
>  					break;
>  				continue;

Actions: View | Diff

Attachments on bug 32600: 18071